Learning From Others: Incident Response and Catastrophic Compromise

In May, I talked a bit about compensating controls and their value in layered defenses. The Wall Street Journal recently detailed what appears to be another significant failure of detective controls, as Dubai police worked with national governments to apprehend suspects in the assassination of Mahmoud al-Mabhouh. Authorities in Dubai posted about 30 minutes of video footage to YouTube shortly after al-Mabhouh’s January death. The videos showed a significant amount of coordination and investigation to tie together more than two dozen suspects over several locations throughout Dubai. Now, nine months later, despite this tremendous investigative effort, the trail shows few signs of progress. But when looked at from the perspective of incident response, even a spectacular failure can be a successful lesson learned for tomorrow.

Responding to a Catastrophic Incident

It is perhaps unfair to compare the resources and motivations of the public sector dealing with an international crime, particularly an assassination, with anything else handled in the private sector. Police investigations are funded and pursued under entirely different paradigms than organizational investigations into security breaches. But if you will permit me to make a base generalization for purposes of comparison, I think there are lessons to be learned. Namely, that what we are seeing is one group (the Dubai authorities) responding to an incident of tremendous importance that not only falls within their core mission of law enforcement, but also has ramifications for their partnerships politically, as well as reputationally. In this generalization, I believe that we could draw some insight into how our own organizations could deal with incidents that strike at or near the heart of our own organizational risk sensitivities.

Imagine if you will that this is the analog of your own organization facing one of its most catastrophic risk scenarios: determined, well-funded attackers make a calculated and surgical strike against a key asset, and successfully compromise it completely.

How will you:

Notice that it has been compromised?

Distinguish unexpected access from unauthorized access? (e.g. how do you overcome anti-forensics?)

Intelligence (of the information gathering and processing sort) was invaluable in the Dubai police force’s response to this incident. In each case, having skilled, perceptive, and knowledgeable operators processing the incident intelligence was a key factor. Suspicions about the murder scene led to a review of security camera footage; keen eyes noticed that the deceased al-Mabhouh was not wearing the same shirt at the time of death as he was seen in on the last known footage of him alive; a search for the shirt uncovered broken bed slats, which prompted an investigation into a struggle and possible murder; and so on.

The Wall Street Journal’s recounting of the investigation highlights a number of impressive accomplishments:

Correlating the suspect list

Tracking suspects’ activities through multiple venues, including other hotels, the airport, and a nearby shopping mall

Tying communications not among suspects, but by suspects to a set of Austrian phone numbers

Noticing small details, such as suspects approaching and then retreating from a vehicle (which suggests it may have been a vehicle they were expecting)

Reviewing 10,000 man-hours worth of video content, manually and with facial recognition and other specialized software

What we see here is not just organizational preparedness (collecting and correlating video footage), but also a capability to extract subtle information that leads to further information about the attackers. Each new connection uncovers an opportunity to recognize more patterns, uncover additional suspects, identify additional resources used, and ultimately lead to the source of the attack.

Calling it Quits

But at nine months since the attack, and with many leads turning up empty or as dead ends, what success can be hoped for in this case? Surely those most closely associated with the operation have retreated to safety by now. At what point might your organization have to decide enough is enough? What continued costs should be incurred to pursue some measure of success? And in the course of the investigation, how can costs be controlled from Day 1 to ensure that an investigation can run its course most thoroughly before reaching the tipping point into ineffectiveness, throwing good money after bad or spending more in response than the compromised asset was worth?

Promoting education and repeating lessons learned is the cornerstone of solid incident response. If at each opportunity an organization can learn from its past failures as well as successes, then future incidents are less likely to be as impactful. Better still to learn from incidents that others have paid the price for, and apply those lessons to your own organization proactively.

Some of the individuals posting to this site, including the moderators, work for Cisco Systems. Opinions expressed here and in any corresponding comments are the personal opinions of the original authors, not of Cisco. The content is provided for informational purposes only and is not meant to be an endorsement or representation by Cisco or any other party. This site is available to the public. No information you consider confidential should be posted to this site. By posting you agree to be solely responsible for the content of all information you contribute, link to, or otherwise upload to the Website and release Cisco from any liability related to your use of the Website. You also grant to Cisco a worldwide, perpetual, irrevocable, royalty-free and fully-paid, transferable (including rights to sublicense) right to exercise all copyright, publicity, and moral rights with respect to any original content you provide. The comments are moderated. Comments will appear as soon as they are approved by the moderator.